Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Price War: iDefense Doubles Bounty for Security Flaws



 By: Ryan Naraine
2005-07-28
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
TippingPoint's entry into the market for buying software vulnerability information triggers an immediate reaction from the competition.

LAS VEGAS—The decision by 3Com Corp.s TippingPoint division to pay for the rights to information on software vulnerabilities has triggered an immediate response from iDefense Inc., the company that previously held a monopoly on the flaw bounty business.

Effective immediately, iDefense is doubling its pricing structure for vulnerability submissions and hiking the value of the incentive and retention reward programs.

Paying for flaws has been paying off for iDefense. Click here to read more.

In addition, the VeriSign-owned company announced the launch of a new growth reward program that offers lump sum payments for hackers who continue to increase their level of participation in the controversial VCP (Vulnerability Contribution Program).

The bounty increases come just days after TippingPoints launch of the Zero Day Initiative, a program that pays researchers for data on vulnerabilities. The company said ZDI will promote responsible disclosure by working closely with affected vendors to get patches created before the flaws are made public.

Does paying for flaws undermine security? Click here to read more.

Neither company will say how much it pays for the flaw information, but Ziff Davis Internet News has learned that proof-of-concept exploit code for a code execution bug in a product like Microsoft Corp.s Internet Explorer browser could earn the flaw finder more than $6,000.

Resource Library:

That price automatically doubles with iDefenses latest move, which is likely to prod TippingPoint into matching.

iDefense Labs Director Michael Sutton said the expansion of the VCP will immediately offer "substantively increase[ed] pricing."

"First off, effective immediately, we will be doubling our standard pricing structure for vulnerability submissions. As always, in order to obtain a price quote, we require that a contributor first submit a discovery to contributor@idefense.com. Once accepted, we will gladly provide a price quote and forward the appropriate contract," Sutton said in a notice posted on a popular security mailing list.

He also announced the sweetening of the pot for the iDefense rewards program, which provides an incentive to the top five contributors each year. The biggest contributor can now earn a $10,000 incentive, up from $5,000.

The iDefense incentive program, which rewards the top three vulnerability contributors each quarter, has also been increased by up to $2,000.

Sutton said a new Growth program will also be implemented to reward contributors who increase their level of participation in the VCP.

The burgeoning competition between iDefense and TippingPoint was being discussed in the hallways of the Black Hat Briefings here. TippingPoint is using the conference to drum up hacker interest in its new program and, for the most part, researchers welcomed the opportunity to earn money for flaw discoveries.

"If they keep upping the price, more power to us," said one researcher who has submitted vulnerabilities anonymously to iDefenses VCP. "Im pretty sure the highest bidder will win the day because these guys need to earn money."

Officials from Microsoft Corp.s security response center were also paying close attention to the news. In an interview, MSRC Director Kevin Kean said Microsoft supports any initiative that promotes the responsible disclosure of vulnerabilities.

"If its a program in place to allow us to get an update out to customers before it becomes a big risk, were happy to see that," Kean said.

"There are two things that we want. We want to know about the vulnerability as early as possible. And we want to know about it responsibly. If these companies report things to us in a responsible way and work closely with us to get customers protected, were happy."

Asked if Microsoft would consider a bounty program of its own, Kean said, "At this time, we dont think paying for vulnerabilities is what we should be doing."

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Price War: iDefense Doubles Bounty for Security Flaws
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}r8s;Ӯcvْ˚-*Ou%B!)/=w~⼜?qfঅt{)W-`HD"?H9wtô'1%3t;D{{}!ЇP|oS/92t4G:a;6]dU~ƷPN6O)L|@ɠ#ӱaGPu#o8sh#m#HSKVUBX)ڑx>oچs[=0Q9n~~7~+eUvѻ]H CKo5-%ZAT\tNi\v? 9NAַ߈ JDTRBh$" ԆNWP u/jzQҏZF-oZjZAS# TFIja>E4f‰EUq}oϦe}}uI}rv|i"|#9ĠV*PFbЊ%+gxgZtܜn/9n:MvIs!)|u!5 0\68cUZ~['^=v??,rG=jZ-$53IULxy$Y)r"?_Cn&J ݒeL_;D_KŗG)H7#ǚM#4ȌcPu t9C;L}NZZR E/<@'D17fIs(,eg{ MH:#kM`3R˼IK2_VJ-ɿEh+dԌTwIQa#waẍ_,ʹcc^IR]E6\}yp1jYY6'*daeIUi3[dhEށؓi|nUO^ *WFnZ`sQM}{Qk,VRSWL@F̶-a[ e uu}y>#ZG>O=3jY}vi|Q}Ѧޣ83}45 @ Lna ;p|g͇v9s a {>0sF}j`IA 6]LR}b;>t9 PhQ0<sxLLσ JCˋƠ` VPC9N@FܧP}MrA=39;ݴiǀxԘ(.aHd˕F ] cRRP$C$hI#r B1,`@n!`G [AXk ab .u@Gҹ3qjP*kR1eb -x[b~ILg2+Iɴh4Z*ȉ#m"09X ,gZ Xk%ּ fiZ\OG4MhȄ%#ܺye&,@PCb;*O<sy h? OzuG#:\VM+}t>xFx$SS- ݜ6,hJ"+p5(Bk?fx Q=6:eR#O>uK-vc k2ZE'6`FUMRAZzI2ۿh |(&]LqαrB&k*H(X3b-y6yBN{r+kF&+)\=P>Д /+b*q (tzS\O Όō$ЊO}?ٲJd-Yֽk%fsP*uR@_F&ےx A-ʘƗZZ"JMP>VL"CɣQHd - ג686pc>7l{`(`R5JȄe:lTbՒhX6k|-[Y`CbeܡQ7$XsQ[Җ|x u8.Cϱȗ s=: 7S=`ʸO6X*'lBJeǝ:~ҧ ، MM̔>Y[ "~2|P +PޣЁ*:tǙk2읶])ϥ_8ͧ6v&:Le"6Xci=CGOw]1W=Z`"Af2,ƸL~6=2.eX"{;gcOf:YIt]j%rapxp_SsHl4$T2Paǎ73] eayewPySc'vB5d809C-Ko=>>:ĢTQ݂*6u RN}(Xk;>սT:㽝 cA\$ @0 !PTQ-W0"ƂsKsKU1SO"nƻhA{-X]>(Dtl?a"%h G=ܸ~?CÜU^of$JPVbtxѡUT9*Ju|}s??]ex$ r@8@w7l40zR8A};݁/r?2:?b + ;2E<& &{-KZ }4t!/cԧjMqѡ,uo¸䪢-}+[3؝?F'E{耰⢉!H{3E&pӜNހ%5- ?$Fd#ӀY?rxP2] `9`)lTgm/ RU *~e;:j/R.8F2( Cs]QB-Ph O5cš9k+4C |3MdhH;_NNͯ6> s7}&mnf]{m_xoÉ̍<9EY7WVb=>` $Dq58_BnGIlLa`Dhby;@<}誦C}0hRYpQbseyuejz>cVA=jT5F70pZ&c=ܕ[7ec &scd{ WϝiqHYfAd#<6i2 1y=0fӅr Vl^./]>L8hn1] }"8DA$۝'S>(Zb]|RJJ\ (J+HA:erȗ?fny" 2rS-Bdrq#Z7MBR%%!fͳ!VA#Ǹ.6A(™)xIHl59l)`R(S=ZTX" .)D`7ϰx3v.b MYV#eZ,nAyr @Nos/$NM.j2~*A?0TA*o!(0IH_dpSi;d':uvr&hEw%]Ͻn:!)hl/{ٗNxyϥүNӽ<$ "h#r|;o(o'rEcR|I{޽͎y-%{w;OjtKCȃ!zNfS L k;d8)Hhdjm\8`&zikR_KվĂ $"jM3$nh0S)Ͻ/Q֭ Bb/3?B!|JgG6>"iZ7* Í76w jE5P!ARB9kũ-ݱi'y0:Ɩs8쀒N1z̩lOܡM]=-gSs S)ҤAgJȄfye5)a5R!MLCYOC/ $f;kB:\x{ giMN.m2jt.>6D2F߳`m\&0 q4CE HY)o9yBn }6PגR4jշΫT~,jƇG6O=aCrWkb~]XZU$Mݝf0أiפybAc$H~ `@wGL|9~ǿ§ ' ;s] '伉*^QW{2.}?H/K턟isP!OgdLg!I ɫ׺w7}ʜ9%'+xs|/'C(oP2Y:pOҤs=b(-93{KLwKUb_{+&bi4W3XT=}v{fvÏ9&i ј@.-vc鼳2> ACVrl8w@rs&cܓPfp~n ֘@lll4RbhLy]9٢pr[0\9f>m` \qlĨ`jx?̴afwH`|x4*jIbߴ,rc_;3 ML8di=L_dcj?c;2'&RIsF=s7^=} t?>}-$Z+NPJMn0]B렳!񥾳Bld5mh32Pq <9 ) +]1I'VׇB[QT}(bS"v *F /]U֓M,VmbLI^I?xD^\Vk{I܂ItTZ-4y 'ן^_!/=Ӎ ǻHtHv=ՓӛO,1+;GzB=lR|Y LkOl$} ԐsEG+%C+kxeDG"ay#}$Eǘ ^:C}q2-Ag d Hm׮Hǿߕ4IlKH#$& i"٥cThǎs+Z\BQtcs" "0{#4Q;U߉jJjy[*B=ƌeSBB.#tӖ*5cpD$?GϋE.e`HM*oQA>=!fƳ^߉+lKEL$){)K9J߁ ^}#66x%+Vaҗ^c`*Tsf`Zs\"GkjU  07 @ [žei<:VZU^\1c , }vT)JWvԄY9XfK`J%B=<8/ ]O8xT IR 0AT˛ WEU1'~ud=8V7kJx AEEEE?EjZ|u,>_S͐#83w/s -f/ILLDDOכsoQcB?x rԍnI /DN$4 țϤt2fKM}4 `FGAL` xy"aI hr3^ޒ^̳܎4C~> :ej2Ď+z$wuBq$lƸ'/vQ@ZElI/졘_ZהycJ};HW'WϬ>oKl]$3VZw]*&7S=8[y4S2Ěga+I錂qnrGJ3ƚe<-~n'@= Yvb>8\BOhA|`߱1!W 8wiS|^_VBVRǗy0B2$oM -{8S[xz1̕D15:&lK"j:?Gx0u0⥰{#L4.NeãEz@9Ъ e/+UZWqiUZPy&sjxíVQjj~zr_ZRӂ,w)]do=?5֘0.HtL'fisđۋuNhO0V xfV-j%VG0 ,2;4}$gۦ~ lE"td|G,%_[%FFV#lEi&⬮Ë..;Z-'|͌V:mxxi)4Ljxb*1bVeզɝ$7zg^ۿ[!VU%ruZ_D_tjh4*>bN ~'}& )<]Сܛ r@JIg8<|^{00/b=#-#8>xAfaX4B&s'ُpS;B΀௅nX{+$ʽOg-<*-bWld"$@_Ѿi?!=4;};ozxX2r*圭#+^bʑf,޾t}SjJT";'0枩T1,3)kM(qi+8<4>|?_ziJ0%Y\A~cs<mDRPabb>3,ni9ӈ iuAKs9z!Kq{y9r_~ CX 8?]N"@[ g o cn Q@J ͍$+\qn`:>0"(S[]ă08]3(OqW'NgCj`N ` \N+r PPgA~6Llݜ(8&jq$!%H$bcx=9`6B2dzwȗ?0(.ŌCZQJФ*t+R0cU-%+t'x7n?z.4!W)WPh s#cvFCX>)h``frOuvcѼ:JNפINm|;\;Kr>9'lkE‰/WQwq{sپ\sSM·_s}eP0mw %e9ũxKs!Yx9K xU< /ELyx&0Kn?> N|D0/& F^M21uSl۽֖S݀VՑt.5]rRO-q7x'L:X)` чzQc p!>E'}ҽlIJ/6ρ3?A_׌k(^_~JmfwQ__'P~s?/?gVieC:CL2^Qʿ/?/𶟌_d_d^ds E/>/2">G/3ʿdAYFߠoP~Q{1?s w1]7]? ͐/W@Wq_e sA?=/c=/c}~__s}}/Y0/(*ɠh& K:ICP.Np3Kq /ޯ?e4@yJ͠2,c2\.d e{5[?[vNBX\jzr+^gi5v+iAư۸/6^a/  ^敽I=$xEq\+gل@CX{#uO'NW4Cﹺ d^ Wsr>VD=VbMxG,DlDZJ91baOd_[ 0{$%YØ/ܻ Gz‰nQ$?5̊RlOAptDw9ayɫs%>| SG075iqq[~|^YcPW,MdB'pZc( fZ g8 a箩%gj#.X&">m?'.}Fu+J'x!|j7;5mv8'c.Lc0ŬBCh=)O4'[n 5E`_0v4aeh خ;Oq^' 3>Ƌrx{Go'۹1]w*ۓ|?Oe Mt8?B&s ܐ}olI CO~=HHJ B ϱ5]&\fTjџfѮBTnlPP`Oՙj3w6E}2\XGx kok3gx [] D peӕx" 7]Kl 1C>b]R>EK ]'[٧3й?-{/e;ɾ,{ QFbf9NhՆGHǸ׭[ [ qy6` <Щ1DM.vQeN܌1G릍\ ѨpSTؕEd3^kgD$+]ycQ1W)ov$пfpalX  ^|޹MwϏq`2[uzZ[8K cd. , $8jVI{{a0&iE-㨤t`C v_ʉ~ph;?҈>A wVǰ>BO SoO80Ux|-h\};}xXˉ>dS1C'@j0\|AH d9[\O^مu&3k/YH~>  \99.@$ASP_Xџ]<"ړT+ + Sq=o/]7?Yi/6/:_yH%B=C QFk;O(QF2x?\Q|=^`gh[^z<%-Gӽn D>Vju.?&+e={`os g